1 Troubleshooting Cisco IOS and PIX Firewall-Based IPSec Implementations Session Copyright Printed in USA. 2
Agenda Introduction Router IPSec VPNs PIX IPSec VPNs Cisco EasyVPN Clients NAT with IPSec Firewalling and IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers Interoperability Troubleshooting 3 What s Not Covered PKI-based troubleshooting Debugs from the PIX platforms Dynamic Multipoint VPN (DMVPN) IPSec VPN Service Module 4 Copyright Printed in USA.
Why Troubleshooting Is Important in Today s VPN Deployment Complex security association and key management protocols and a rich set of cryptographic algorithms from which VPN peers can choose VPNs are often implemented on top of existing networks Some other advance features could break IPSec Implementations VPNs could be used between different vendors 5 A Key Point to Remember Debug and Show commands are your friends in troubleshooting any IPSec related issues. 6 Copyright Printed in USA.
Secure Communications Using IPSec VPN Proposals Key Generation Key Management Security Association ISAKMP and IKE Proposals VPN Tunnel IPSec Message A B Message Message Needs Secure Communications over Insecure Channel Message 7 IKE (Two-Phase Protocol) IKE IPSec Two-phase protocol: Data Phase I exchange: two peers establish a secure, authenticated channel with which to communicate; main mode or aggressive mode accomplishes a phase I exchange Phase II exchange: security associations are negotiated on behalf of IPSec services; quick mode accomplishes a phase II exchange Each phase has its SAs: ISAKMP SA(phase I) and IPSec SA(phase II) 8 Copyright Printed in USA.
Main Mode with Pre-Shared Key Initiator IKE Responder DES MD5 DH 1 Pre-Share DES SHA DH 2 Pre-Share HDR, SA Proposal HDR, SAchoice DES MD5 DH 1 Pre-Share Generate DH public value and Nonce Phase I SA parameter negotiation complete HDR, KE I, Nonce I HDR, KE R, Nonce R DH key exchange complete, share secret SKEYID e derived Nonce exchange defeat replay Generate DH public value and Nonce HASH I =HMAC(SKEYID, HDR*, ID I, HASH I KE I KE R cookie I cookie R SA ID I ) cookie I SA ID R ) IDs are exchanged, HASH is verified for authentication ID and HASH are encrypted by derived shared secret HDR*, ID R, HASH R HASH R =HMAC(SKEYID, KE R KE I cookie R 9 Phase II Quick Mode Negotiation Initiator IPSec Responder ESP DES SHA PFS 1 HDR*, HASH 1, Sa proposal, Nonce I [,KE I ] [,ID CI,ID CR ] ESP DES SHA PFS 1 HDR*, HASH 2, SA choice, Nonce R, [,KE R ] [,ID CI,ID CR ] HDR*, HASH 3 Protected by Phase I SA Optional DH exchange for Perfect Forward Secrecy (PFS) Negotiate IPSec SA parameters, including proxy identities [IDCI, IDCR] Two unidirectional IPSec SA established with unique SPI number Nonce exchanged for generating session key KEYMAT = HMAC (SKEYIDd,[KEIKER ]protocol SPI NonceI NonceR) 10 Copyright Printed in USA.
Agenda Introduction Router IPSec VPNs PIX IPSec VPNs Cisco EasyVPN Clients NAT with IPSec Firewalling and IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers Interoperability Troubleshooting 11 Layout 209.165.200.227 209.165.201.4 Backbone Router1 Router2 10.1.1.0/24 10.1.2.0/24 Encrypted 12 Copyright Printed in USA.
Router Configurations crypto isakmp policy 10 encr 3des authentication pre-share crypto isakmp key jw4ep9846804ijl address 209.165.201.4! crypto ipsec transform-set myset esp-3des esp-md5-hmac! crypto map vpn 10 ipsec-isakmp set peer 209.165.201.4 set transform-set myset match address 101 crypto isakmp policy Defines the Phase 1 SA Parameters crypto ipsec transform-set.. Command Defines IPSec Encryption and authen algo crypto map.. Commands Defines the IPSec SA (Phase II SA) Parameters 13 Router Configurations interface Ethernet0/2 ip address 10.1.1.1 255.255.255.0! Interface that Is Connected to the Private Side of the Network interface Ethernet0/3 ip address 209.165.200.227 255.255.255.0 crypto map vpn! crypto map Is then Applied to an Outbound Interface Access-list Defines Interesting VPN Traffic access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 14 Copyright Printed in USA.
Router Configurations R1#show crypto map Crypto Map "vpn" 10 IPsec-isakmp Peer = 209.165.201.4 Extended IP access list 101 access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 Current peer: 209.165.201.4 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset, } Interfaces using crypto map vpn: Ethernet0/3 15 Important Debugs Commands debug crypto isakmp debug crypto ipsec debug crypto engine debug ip packet <acl> detail 16 Copyright Printed in USA.
Debugs Functionality Flow Chart Interesting Traffic Received Main Mode IKE Negotiation Quick Mode Negotiation Establishment of Tunnel IKE IPSec Data 17 Tunnel Establishment The ping source and destination addresses matched the match address access list for the crypto map vpn 22:17:24.426: IPSEC(sa_request):, (key eng. msg.) OUTBOUND local= 209.165.200.227, remote= 209.165.201.4, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4), The local is the local tunnel end-point, the remote is the remote crypto end point as configured in the map. The src proxy is the src interesting traffic as defined by the match address access list; The dst proxy is the destination interesting traffic as defined by the match address access list protocol= ESP, transform= esp-3des esp-md5-hmac, lifedur= 3600s and 4608000kb, Interesting Traffic Received spi= 0x4579753B(1165587771), conn_id= 0, keysize= 0, flags= 0x400A The protocol and the transforms are specified by the crypto map which has been hit, as are the lifetimes 18 Copyright Printed in USA.
IKE Main Mode Negotiation Phase I SA Negotiation Initiator Responder Begins Main Mode exchange; The first two packets negotiate phase I SA parameters 3DES SHA-1 DH 1 Pre-Share HDR, SA Proposal IKE HDR, SA choice 3DES SHA-1 DH 1 Pre-Share ISAKMP: received ke message (1/1) ISAKMP: local port 500, remote port 500 ISAKMP (0:1): Input = IKE_MESG_FROM_IPsec, IKE_SA_REQ_MM Old State = IKE_READY New State = IKE_I_MM1 ISAKMP (0:1): beginning Main Mode exchange 22:17:24: ISAKMP (0:1): sending packet to 209.165.201.4(I)MM_NO_STATE 22:17:24: ISAKMP (0:1): received packet from 209.165.201.4 (I) MM_NO_STATE 22:17:24: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Old State = IKE_I_MM1 New State = IKE_I_MM2 19 IKE Main Mode Negotiation Phase I SA Negotiation 22:17:24: ISAKMP (0:1): processing SA payload. message ID = 0 22:17:24: ISAKMP (0:1): processing vendor id payload 22:17:24: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy 22:17:24: ISAKMP: hash SHA 22:17:24: ISAKMP: default group 1 22:17:24: ISAKMP: auth pre-share 22:17:24: ISAKMP: life type in seconds 22:17:24: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 22:17:24: ISAKMP (0:1): atts are acceptable. Next payload is 0 22:17:24: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Old State = IKE_I_MM2 New State = IKE_I_MM2 The policy 10 on this router and the atts offered by the other side matched 20 Copyright Printed in USA.
IKE Main Mode Negotiation DH Exchange The third and fourth packets completes Diffie-Hellman exchange Initiator 3DES SHA-1 DH 1 Pre-Share HDR, SA Proposal IKE HDR, SA choice Responder 3DES SHA-1 DH 1 Pre-Share ISAKMP (0:1): sending packet to HDR, KE I, Nonce I 209.165.201.4 (I) MM_SA_SETUP HDR, KE R, Nonce R ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Old State = IKE_I_MM2 New State = IKE_I_MM3 ISAKMP (0:1): received packet from 209.165.201.4 (I) MM_SA_SETUP ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Old State = IKE_I_MM3 New State = IKE_I_MM4 ISAKMP (0:1): processing KE payload. message ID = 0 ISAKMP (0:1): processing NONCE payload. message ID = 0 ISAKMP (0:1): found peer pre-shared key matching 209.165.201.4 ISAKMP (0:1): SKEYID state generated ISAKMP (0:1): processing vendor id payload 21 IKE Main Mode Negotiation Authentication The fifth and sixth packets complete IKE authentication; Phase 1 SA established Initiator 3DES SHA-1 DH 1 Pre-Share IKE HDR, SA Proposal HDR, SA choice Responder 3DES SHA-1 DH 1 Pre-Share ISAKMP (0:1): SA is doing pre-shared key HDR, KE I, Nonce I authentication using id type ID_IPV4_ADDR HDR, KE R, Nonce R ISAKMP (0:1): sending packet to 209.165.201.4 HDR*, ID I, HASH I (I) MM_KEY_EXCH HDR*, ID R, HASH R ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEOld State = IKE_I_MM4 New State = IKE_I_MM5 ISAKMP (0:1): received packet from 209.165.201.4 (I) MM_KEY_EXCH ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Old State = IKE_I_MM5 New State = IKE_I_MM6 ISAKMP (0:1): processing ID payload. message ID = 0 ISAKMP (0:1): processing HASH payload. message ID = 0 ISAKMP (0:1): SA has been authenticated with 209.165.201.4 ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE 22 Copyright Printed in USA.
IKE Quick Mode IPSec SA Negotiations Initiator IKE Responder Begin Quick Mode exchange; IPSec SA will be negotiated in QM ESP 3DES SHA IPSec HDR*, HASH 1, Sa proposal, Nonce I [,KE I] [,ID CI,ID CR] HDR*, HASH 2, SA choice, Nonce R, [,KE R] [,ID CI,ID CR] ESP 3DES SHA ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 843945273 ISAKMP (0:1): sending packet to 209.165.201.4 (I) QM_IDLE ISAKMP (0:1): Node 843945273, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Old State = IKE_QM_READY New State = IKE_QM_I_QM1 ISAKMP (0:1): received packet from 209.165.201.4 (I) QM_IDLE The IPSec SA proposal offered by far end will be checked against local crypto map configuration ISAKMP (0:1): processing HASH payload. message ID = 843945273 ISAKMP (0:1): processing SA payload. message ID = 843945273 23 IKE Quick Mode IPSec SA Negotiations ISAKMP (0:1): Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-MD5 ISAKMP (0:1): atts are acceptable. IPsec(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 209.165.200.227, remote= 209.165.201.4, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac, lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2 24 Copyright Printed in USA.
IKE Quick Mode SA Creation Two IPSec SAs have been negotiated, an incoming SA with the SPI generated by the local machine and an outbound SA with the SPIs proposed by the remote end ISAKMP (0:1): Creating IPSec SAs inbound SA from 209.165.201.4 to 209.165.200.227(proxy 10.1.2.0 to 10.1.1.0) has spi 0x8EAB0B22 and conn_id 2000 and flags 2 lifetime of 3600 seconds lifetime of 4608000 kilobytes outbound SA from 209.165.200.227 to 209.165.201.4 (proxy 10.1.1.0 to 10.1.2.0) has spi -1910720646 and conn_id 2001 and flags A lifetime of 3600 seconds lifetime of 4608000 kilobytes 25 IKE Quick Mode SA Initialization The IPSec SA info negotiated by IKE will be populated into router s SADB 22:17:25 : IPsec(key_engine): got a queue event... 22:17:25: IPSEC(initialize_sas):, (key eng. msg.) INBOUND local= 209.165.200.227, remote= 209.165.201.4, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac, lifedur= 3600s and 4608000kb, spi= 0x4579753B(1165587771), conn_id= 2000, keysize= 0, flags=0x2 22:17:25: IPsec(initialize_sas):, (key eng. msg.) OUTBOUND local= 209.165.200.227, remote= 209.165.201.4, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac, lifedur= 3600s and 4608000kb, spi= 0x8E1CB77A(2384246650), conn_id= 2001, keysize= 0, flags= 0xA 26 Copyright Printed in USA.
IKE Quick Mode Phase 2 Completion IPSec SA created in SADB, sent out last packet with commit bit set; IPSec tunnel established IPsec(create_sa): sa created, (sa) sa_dest= 209.165.200.227, sa_prot= 50, sa_spi= 0x4579753B(1165587771), sa_trans= esp-3des esp-md5-hmac, sa_conn_id= 2000 IPsec(create_sa): sa created, Initiator (sa) sa_dest= 209.165.201.4, sa_prot= 50, sa_spi= 0x8E1CB77A(2384246650), sa_trans= esp-3des esp-md5-hmac, sa_conn_id= 2001 ISAKMP (0:1): sending packet to 209.165.201.4 (I) QM_IDLE ISAKMP (0:1): Node 843945273, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE ESP 3DES SHA IKE IPSec HDR*, HASH 1, Sa proposal, Nonce I [,KE I] [,ID CI,ID CR] HDR*, HASH 2, SA choice, Nonce R, [,KE R] [,ID CI,ID CR] HDR*, HASH3 Data Responder ESP 3DES SHA 27 Show Commands Show crypto engine connection active Show crypto isakmp sa [detail] Show crypto ipsec sa [peer <addr>] 28 Copyright Printed in USA.
Show Commands Router#sh cry engine connection active ID Interface IP-Address State Algorithm Encrypt Decrypt 1 Ethernet0/3 209.165.200.227 set HMAC_SHA+3DES_56_C 0 0 This is ISAKMP SA 2000 Ethernet0/3 209.165.200.227 set HMAC_MD5+3DES_56_C 0 19 2001 Ethernet0/3 209.165.200.227 set HMAC_MD5+3DES_56_C 19 0 These two are IPSec SAs Router#sh crypto isakmp sa dst src state conn-id slot 209.165.201.4 209.165.200.227 QM_IDLE 1 0 29 Show Commands Router#sh crypto ipsec sa interface: Ethernet0/3 Crypto map tag: vpn, local addr. 209.165.200.227 local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0) current_peer: 209.165.201.4 PERMIT, flags={origin_is_acl,} #pkts encaps: 19, #pkts encrypt: 19, #pkts digest 19 #pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 209.165.200.227, remote crypto endpt.: 209.165.201.4 path mtu 1500, media mtu 1500 current outbound spi: 8E1CB77A 30 Copyright Printed in USA.
Show Commands inbound esp sas: spi: 0x4579753B(1165587771) transform: esp-3des esp-md5-hmac, in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4456885/3531) IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x8E1CB77A(2384246650) transform: esp-3des esp-md5-hmac, in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4456885/3531) IV size: 8 bytes replay detection support: Y 31 Hardware Crypto Engine In latest Cisco IOS versions, show commands for different types of hardware crypto cards have been unified Verify hardware/software crypto engine Hardware info Turn on/off the hardware crypto engine Display statistics Debug crypto engine Show crypto engine configuration Show diag [no] crypto engine accelerator [slot_no.] Show crypto engine accelerator stat Debug crypto engine accelerator control/packet 32 Copyright Printed in USA.
Hardware Crypto Engine (Cont.) show crypto engine configuration crypto engine name: Virtual Private Network (VPN) Module crypto engine type: hardware Product Name: AIM-VPN/EP show diag slot : 0 Encryption AIM 0: Hardware Revision : 1.0 Top Assy. Part Number : 800-15369-03 Board Revision : B0 Indicates Hardware Crypto Engine on Shows the Type of Hardware Encryption 33 Hardware Crypto Engine (Cont.) show crypto engine accelerator statistic Virtual Private Network (VPN) Module in aim slot : 0 Statistics for Hardware VPN Module since the last clear of counters 430281 seconds ago 0 packets in 0 packets out 0 packet overruns 0 output packets dropped Last 5 minutes: 0 packets in 0 packets out 0 packets decrypted 0 packets encrypted 0 bytes decrypted 0 bytes encrypted 0 bytes before decrypt 0 bytes after encrypt 34 Copyright Printed in USA.
Hardware Crypto Engine (Cont.) Debug crypto engine accelerator debug cry engine accelerator control detail display the entire command content error display errors from control commands <cr> debug cry engine accelerator packet detail display packet going through crypto accelerator error display errors from packets going through crypto accelerator number number of packet to be printed <cr> 35 Verify Crypto Engine router#sh crypto engine configuration crypto engine name: unknown crypto engine type: ISA/ISM CryptIC Version: FF41 CGX Version: 0111 DSP firmware version: 0061 MIPS firmware version: 0003030F ISA/ISM serial number: B82CA6C09E080DF0E0A1029EF8E7112F3FF5F 67B PCBD info: 3-DES [07F000260000] Compression: No 3 DES: Yes Privileged Mode: 0x0000 Maximum buffer length: 4096 Maximum DH index: 1014 Maximum SA index: 2029 Maximum Flow index: 4059 Maximum RSA key size: 0000 crypto engine in slot: 5 platform: predator crypto_engine Crypto Adjacency Counts: Lock Count: 0 Unlock Count: 0 36 Copyright Printed in USA.
Common Issues Incompatible ISAKMP policy or pre-shared secrets Incompatible transform sets Incompatible or incorrect access lists Crypto map on the wrong interface Overlapping ACLs Routing issues Caveats: switching paths 37 Incompatible ISAKMP Policy or Pre-Shared Secrets If the configured ISAKMP policies don t match the proposed policy by the remote peer, the router tries the default policy of 65535, and if that does not match either, it fails ISAKMP negotiation Default protection suite encryption algorithm: DES Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit A sh crypto isakmp sa shows the ISAKMP SA to be in MM_NO_STATE, meaning the main-mode failed 38 Copyright Printed in USA.
Incompatible ISAKMP Policy or Pre-Shared Secrets 3d01h: ISAKMP (0:1): processing SA payload. message ID = 0 3d01h: ISAKMP (0:1): found peer preshared key matching 209.165.200.227 ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: ISAKMP: encryption 3DES-CBC hash MD5 ISAKMP: default group 1 ISAKMP: ISAKMP: auth pre-share life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0:1): Hash algorithm offered does not match policy! ISAKMP (0:1): atts are not acceptable. Next payload is 0 ISAKMP (0:1): Checking ISAKMP transform 1 against priority 65535 policy ISAKMP: ISAKMP: encryption 3DES-CBC hash MD5 ISAKMP: default group 1 ISAKMP: ISAKMP: auth pre-share life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0:1): Encryption algorithm offered does not match policy! ISAKMP (0:1): atts are not acceptable. Next payload is 0 ISAKMP (0:1): no offers accepted! ISAKMP (0:1): phase 1 SA not acceptable! 39 Incompatible ISAKMP Policy or Pre-Shared Secrets If the pre-shared secrets are not the same on both sides, the negotiation will fail again, with the router complaining about sanity check failed A sh crypto isakmp sa shows the ISAKMP SA to be in MM_NO_STATE, meaning the main mode failed 40 Copyright Printed in USA.
Incompatible ISAKMP Policy or Pre-Shared Secrets ISAKMP (62): processing SA payload. message ID = 0 ISAKMP (62): Checking ISAKMP transform 1 against priority 10 policy encryption DES-CBC hash SHA default group 1 auth pre-share ISAKMP (62): atts are acceptable. Next payload is 0 ISAKMP (62): SA is doing pre-shared key authentication ISAKMP (62): processing KE payload. message ID = 0 ISAKMP (62): processing NONCE payload. message ID = 0 ISAKMP (62): SKEYID state generated ISAKMP (62); processing vendor id payload ISAKMP (62): speaking to another IOS box! ISAKMP: reserved not zero on ID payload! %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 209.165.200.227 failed its sanity check or is malformed 41 Incompatible IPSec Transform Set If the ipsec transform-set is not compatible or mismatched on the two IPSec devices, the IPSec negotiation will fail, with the router complaining about atts not acceptable for the IPSec proposal ISAKMP (0:2): Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 0) not supported ISAKMP (0:2): atts not acceptable. Next payload is 0 ISAKMP (0:2): SA not acceptable! 42 Copyright Printed in USA.
Incompatible or Incorrect Access Lists If the access lists on the two routers don t match proxy identities not supported will result It is recommended that access lists on the two routers be reflections of each other It is also highly recommended that the key word any not be used in match address access lists 43 Incompatible or Incorrect Access Lists 1w6d: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 209.165.201.4, remote= 209.165.200.227, local_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac, lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 1w6d: IPSEC(validate_transform_proposal): proxy identities not supported 1w6d: ISAKMP (0:2): IPSec policy invalidated proposal 1w6d: ISAKMP (0:2): phase 2 SA not acceptable! Access List at 209.165.200.227: access list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 Access List at 209.165.201.4: access list 101 permit ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255 44 Copyright Printed in USA.
Crypto Map on the Wrong Interface The crypto map needs to be applied to the outgoing interface of the router IPSEC(validate_proposal): invalid local address 209.165.201.4 ISAKMP (0:4): atts not acceptable. Next payload is 0 ISAKMP (0:4): phase 2 SA not acceptable! If you don t want to use the outside interface s IP as the local ID, use the command crypto map <name> localaddress <interface>, to specify the correct interface If there are physical as well as logical interfaces involved in carrying outgoing traffic, the crypto map needs to be applied to both; however, this restriction has been taken off in the latest Cisco IOS 45 Overlapping ACLs If there are multiple peers to a router, make sure that the match address access lists for each of the peers are mutually exclusive from the match address access list for the other peers If this is not done, the router will choose the wrong crypto map to try and establish a tunnel with one of the other peers 46 Copyright Printed in USA.
Incorrect SA Selection by the Router IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 209.165.200.227, remote= 209.165.202.149, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac, lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 IPSEC(validate_transform_proposal): peer address 209.165.202.149 not found ISAKMP (0:2): IPSec policy invalidated proposal ISAKMP (0:2): phase 2 SA not acceptable! Access list for 209.165.201.4: Access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 Access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.5.0 0.0.0.255 Access list for 209.165.202.149: Access-list 110 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 47 Routing Issues A packet needs to be routed to the interface which has the crypto map configured on it before IPSec will kick in Routes need to be there for: The router to reach its peers address The IP subnets of the destination host before the packets are encrypted The IP subnets of the destination host once the packets are decrypted Use the debug ip packet <acl> detailed to see if the routing is occurring correctly (be careful on the busy networks!!!) 48 Copyright Printed in USA.
Possible Caveats in Switching Paths Symptom: Only see encryption or decryption counter incrementing from show crypto eng conn active Caveats in the switching paths might cause IPSec encryption/decryption failures Workaround: Try different switch paths (CEF, fast switching, process switching) Process switching can cause performance issues! 49 Quiz Agenda Time PROXY IDS Introduction NOT SUPPORTED.. Debug Message Means: Router IPSec VPNs PIX IPSec VPNs 1. Phase 2 Hashing is mismatched Cisco EasyVPN Clients 2. Access-List is mismatched NAT with IPSec 3. Phase Firewalling 2 Encryption and IPSec type is mismatched MTU Issues GRE over IPSec 4. DH group is mismatched Loss of Connectivity of IPSec Peers Interoperability Troubleshooting 50 Copyright Printed in USA.
Layout 10.1.1.0/24 209.165.202.129 209.165.200.226 10.1.2.0/24 Internet PIX 1 PIX 2 Private Encrypted Public Private 51 PIX-to-PIX VPN Configuration access-list bypassnat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 nat (inside) 0 access-list bypassnat Access-List bypassnat Defines Interesting Traffic to bypass NAT for VPN NAT 0 Command Bypasses NAT for the Pkts Destined over the IPSec Tunnel access-list encrypt permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 Access-list encrypt Defines VPN Interesting Traffic ip address outside 209.165.202.129 255.255.255.0 ip address inside 10.1.1.1 255.255.255.0 IP Addresses on the outside route outside 0.0.0.0 0.0.0.0 209.165.202.158 and 1 inside Interfaces sysoptconnection permit-ipsec Sysopt Command Bypasses Conduits or ACLs Checking to Be Applied on the Inbound VPN Packets after Decryption 52 Copyright Printed in USA.
Standard Site-to-Site VPN Configuration Highlight crypto ipsec transform-set mysetdes esp-des esp-md5-hmac crypto IPSec.. Command Defines IPSec Encryption and authen algo crypto map encryptmap 20 ipsec-isakmp crypto map.. crypto map encryptmap 20 match address encrypt Commands Define the crypto map encryptmap 20 set peer 209.165.200.226 IPSec SA (Phase II SA) Parameters crypto map encryptmap 20 set transform-set mysetdes crypto map encryptmap interface outside isakmp enable outside isakmp key cisco123 address 209.165.200.226 netmask 255.255.255.255 no-xauth no-config-mode isakmp key.. Command Defines the Pre-Shared Key for the Peer Address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy.. Defines the Phase 1 SA Parameters 53 Common Issues Bypassing NAT Enabling ISAKMP Missing sysopt commands Combining PIX-PIX and PIX-VPN client issues 54 Copyright Printed in USA.
Bypassing NAT Nat needs to be bypassed on the PIX in order for the remote side to access the private network behind the PIX seamlessly Use the NAT 0 command with an access list to achieve that 55 Enabling ISAKMP Unlike the router, ISAKMP is not enabled by default on the PIX Use the command isakmp enable <interface> to enable it on an interface 56 Copyright Printed in USA.
Missing Sysopt Commands After decryption, PIX will check the access-lists or conduits against the decrypted IP packets Access-lists or conduits need to be configured to permit decrypted IP traffic Enable sysopt connection permit-ipsec to bypass the access-list/conduit checking against VPN traffic after decryption 57 Combining PIX-PIX and PIX-Client Issues If you are doing mode config or x-auth for the VPN clients you would need to disable them for the site-to-site VPN connections Use the no-config-mode and no x-auth tags at the end of the pre-shared key definitions to disable mode config and x-auth isakmp peer fqdn fqdn no-xauth noconfig-mode in case rsa-sig is used as IKE authentication method 58 Copyright Printed in USA.
Agenda Introduction Router IPSec VPNs PIX IPSec VPNs Cisco EasyVPN Clients NAT with IPSec Firewalling and IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers Interoperability Troubleshooting 59 Layout 209.165.200.227 WINS Router 172.18.124.96 VPN Client 10.1.1.0/24 Internet 209.165.201.4 14.38.1.0/24 Router DNS 14.38.2.0/24 Pix 209.165.200.226 209.165.201.2 Pix 60 Copyright Printed in USA.
EasyVPN Client to a Router aaa new-model aaa authentication login userauthen local aaa authorization network groupauthor local username cisco password 0 cisco123 Username pix password 0 cisco123! aaa Commands Enable User Authentication and Group Authorization crypto isakmp policy 3 encr 3des authentication pre-share group 2! ISAKMP Policy Defines Phase 1 Parameters crypto isakmp client configuration group vpnclient key cisco123 dns 10.1.1.10 wins 10.1.1.20 domain cisco.com pool ippool acl 100 Crypto isakmp client configuration.. commands define mode- Configuration Parameters that Will Be Passed to the VPN Clients 61 EasyVPN Client to a Router (Cont.) crypto IPSec transform-set myset esp-3des esp-sha-hmac! crypto dynamic-map dynmap 10 set transform-set myset! crypto IPSec.. Command Defines IPSec Encryption and authen algo crypto dynamic-map Defines a Dynamic Map which Would Be Included in the Actual Map crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 IPsec-isakmp dynamic dynmap crypto map Commands Define the Actual Map which Would Be Applied to the Outbound Interface for the Data Encryption 62 Copyright Printed in USA.
EasyVPN Client to a Router (Cont.) ip local pool ippool 14.1.1.1 14.1.1.254! ip local pool Command Defines a Pool of Addresses to Be Assigned back to the VPN Client access-list 100 permit ip 10.1.1.0 0.0.0.255 14.1.1.0 0.0.0.255 access-list 100 permit ip 10.1.1.0 0.0.0.255 14.38.1.0 0.0.0.255 access-list 100 permit ip 10.1.1.0 0.0.0.255 14.38.2.0 0.0.0.255! interface FastEthernet2/0 ip address 209.165.200.227 255.255.255.0 crypto map clientmap access-list Defines Split-Tunneling crypto map Is then Applied to an Outbound Interface 63 EasyVPN Client to a PIX access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 access-list 101 permit ip 10.1.1.0 255.255.255.0 14.38.1.0 255.255.255.0 access-list 101 permit ip 10.1.1.0 255.255.255.0 14.38.2.0 255.255.255.0 Define an Access-List, that Would Be Used to by-pass NAT for the IPSec Traffic nat (inside) 0 access-list 101 ip address outside 209.165.200.226 255.255.255.224 ip address inside 10.1.1.1 255.255.255.0 Define IP Address on the Interfaces isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 ISAKMP Policy Defines Phase 1 Parameters 64 Copyright Printed in USA.
EasyVPN Client to a PIX (Cont.) ip local pool ippool 10.1.2.1-10.1.2.254 sysopt connection permit-ipsec vpngroup vpnclient address-pool ippool vpngroup vpnclient dns-server 10.1.1.2 vpngroup vpnclient wins-server 10.1.1.2 vpngroup vpnclient default-domain cisco.com vpngroup vpnclient split-tunnel 101 vpngroup vpnclient idle-time 1800 vpngroup vpnclient password ******** crypto IPSec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 IPsec-isakmp dynamic dynmap crypto map mymap interface outside Define a Pool of Addresses to Be Assigned back to the VPN Client Sysopt Command Bypasses Conduits or ACLs Checking to Be Applied on the Inbound VPN Packets after Decryption vpngroup Commands Enable Group Authorization; You Can Pass down Mode-Configuration Parameters within This Section back to the VPN Client; Note that Access-list 101 Can Be Used Again for Split-Tunneling crypto IPSec transform-set Command Defines Phase 2 Negotiation Parameters crypto map Commands Defines the Actual Map which Would Be Applied to an Interface for the Data Encryption 65 VPN Client Configuration To Launch the VPN client, click: Start Programs Cisco Systems VPN client VPN Client 66 Copyright Printed in USA.
Cisco IOS EasyVPN Client crypto ipsec client ezvpn ezvpnclient connect auto group vpnclient key cisco123 mode network-extension peer 209.165.200.227 crypto ipsec client Commands Define the Connection Parameters to Establish an EasyVPN tunnel interface Ethernet0 ip address 14.38.1.1 255.255.255.0 crypto ipsec client ezvpn ezvpnclient inside hold-queue 100 out crypto ipsec client inside Command Defines the Private Subnet for the IPSec Encryption interface Ethernet1 ip address 209.165.201.4 255.255.255.224 crypto ipsec client ezvpn ezvpnclient crypto ipsec client Command Is then Applied to an Outbound Interface 67 PIX EasyVPN Client hostname vpn-pix501b domain-name cisco.com vpnclient server 209.165.200.227 vpnclient mode network-extension-mode vpnclient vpngroup vpnclient password ******** vpnclient username cisco password ******** vpnclient enable vpnclient Commands Define the Connection Parameters to Establish an EasyVPN Tunnel route outside 0.0.0.0 0.0.0.0 209.165.201.1 1 ip address outside 209.165.201.2 255.255.255.224 ip address inside 14.38.2.1 255.255.255.0 68 Copyright Printed in USA.
Cisco IOS Debugs: Phase I Negotiation Debug crypto isakmp Debug crypto ipsec Debug crypto ipsec client ezvpn ( on EZVPN client ) ISAKMP (0:0): received packet from 172.18.124.96 (N) NEW SA ISAKMP: local port 500, remote port 500 ISAKMP (0:10): Checking ISAKMP transform 1 against priority 3 policy ISAKMP: ISAKMP: encryption 3DES-CBC hash SHA ISAKMP: default group 2 ISAKMP: ISAKMP: ISAKMP: auth XAUTHInitPreShared life type in seconds life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP (0:10): atts are acceptable. Next payload is 3 Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT This Message Indicates that This Router Received an ISAKMP Message from the EZVPN Client on src port 500, dst port=500 Router Is Trying to Match the Received Proposal # 1 with the Configured Proposal # 3 Received Proposal Is Acceptable Since the 3.x Client Does Aggressive Mode, the New State Is IKE_R_AM_AAA_AWAIT 69 Cisco IOS Debugs: Xauth ISAKMP (0:10): Need XAUTH ISAKMP/xauth: request attribute XAUTH_TYPE_V2 ISAKMP/xauth: request attribute XAUTH_MESSAGE_V2 ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2 ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2... ISAKMP: Config payload REPLY ISAKMP/xauth: reply attribute XAUTH_TYPE_V2 unexpected ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2 ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2 Router Is Requesting the VPN Client for User Authentication Router Is Receiving the X-Auth Attributes from the VPN Client 70 Copyright Printed in USA.
Cisco IOS Debugs: Mode Configuration ISAKMP (0:10): checking request: ISAKMP: IP4_ADDRESS ISAKMP: IP4_NETMASK ISAKMP: IP4_DNS ISAKMP: IP4_NBNS ISAKMP: ADDRESS_EXPIRY ISAKMP: APPLICATION_VERSION ISAKMP: UNKNOWN Unknown Attr: 0x7000 ISAKMP: Sending private address: 14.1.1.3 ISAKMP: Unknown Attr: IP4_NETMASK (0x2) ISAKMP: Sending IP4_DNS server address: 14.36.1.10 ISAKMP: Sending IP4_NBNS server address: 14.36.1.20 ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 86395 ISAKMP: Sending APPLICATION_VERSION string: Cisco Internetwork OperatingSystem Software IOS (tm) 7200 Software (C7200-IK9S-M), Version 12.2(15)T, RELEASE SOFTWARE (fc1) ISAKMP: Unknown Attr: UNKNOWN (0x7000) Received Mode Configuration Request from the VPN Client Unknown Attr: Is Not an Error; It Just Means that PIX Does Not Support this mode-config Attribute Requested by the VPN Client Router Is Sending the Mode-Configuration back to the VPN Client 71 Cisco IOS Debugs: Phase II Negotiation ISAKMP (0:11): Checking IPSec proposal 4 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: ISAKMP: encaps is 1 ISAKMP: ISAKMP: authenticator is HMAC-SHA SA life type in seconds SA life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP (0:11): atts are acceptable. ISAKMP (0:11): Creating IPSec SAs inbound SA from 172.18.124.96 to 14.36.100.101 (proxy 14.1.1.4 to 14.36.100.101) has spi 0x962A493B and conn_id 2000 and flags 4 lifetime of 2147483 seconds outbound SA from 14.36.100.101 to 172.18.124.96 (proxy 14.36.100.101 to 14.1.1.4) has spi -2145675534 and conn_id 2001 and flags C lifetime of 2147483 seconds Router Is Checking and Validating the IPSec Proposals After Validating the Phase II, the IPSec SAs Are Created; One SA for Inbound Traffic and the Other SA for the Outbound Traffic 72 Copyright Printed in USA.
Common Issues VPN clients only propose DH group 2 and 5 Configure DH group 2 or 5 on Cisco IOS or PIX Configure isakmp identity hostname if rsa-sig is used as an IKE authentication method aaa authorization needs to be enabled on the router, so that router can accept/send mode-configuration attributes On, Cisco IOS EasyVPN client, for X-Auth, you have to manually type crypto ipsec client ezvpn xauth 73 Quiz Agenda Time The Purpose Introduction of sysopt connection permit-ipsec Is: Router IPSec VPNs PIX IPSec VPNs 1. To bypass Cisco EasyVPN conduits Clients or ACL checking against the decrypted VPN traffic NAT with IPSec 2. To bypass Firewalling NAT and for IPSec the IPSec traffic MTU Issues 3. To bypass the assignment of IP address GRE over IPSec to the VPN client Loss of Connectivity of IPSec Peers 4. To bypass X-Auth for the VPN clients Interoperability Troubleshooting 74 Copyright Printed in USA.
Common Problems Bypassing NAT entries NAT in the middle of an IPSec tunnel 75 Bypassing NAT Entries Bypassing dynamic NAT entries ip nat inside source route-map nonat interface Ethernet1/0 overload access list 150 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access list 150 permit ip 10.1.2.0 0.0.0.255 any route-map nonat permit 10 match ip address 150 Static NAT entries can be bypassed using a loopback interface and policy routing for Cisco IOS images prior to 12.2.4T; Starting from 12.2.4T a route-map can be used with static NAT to bypass NAT Tools to debug this setup are: show ip nat translation debug ip nat debug ip policy 76 Copyright Printed in USA.
Bypassing Static NAT Entries e0/2 nat in lo1 crypto map vpn 10 IPsec-isakmp set peer 209.165.201.4 set transform-set myset match address 101 interface Loopback1 ip address 10.2.2.2 255.255.255.252 interface Ethernet0/03 ip address 209.165.200.227 255.255.255.0 ip nat outside crypto map vpn e0/3 nat out crypto map interface Ethernet0/2 ip address 10.1.1.3 255.255.255.0 ip nat inside ip route-cache policy ip policy route-map nonat ip nat inside source list 1 interface Ethernet0/3 overload ip nat inside source static 10.1.1.1 209.165.200.230 access list 1 permit 10.0.0.0 0.255.255.255 access list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access list 120 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 route-map nonat permit 10 match ip address 120 set ip next-hop 10.2.2.1 77 Bypassing Static NAT Entries e0/2 nat in e0/3 nat out crypto map crypto map vpn 10 IPsec-isakmp set peer 209.165.201.4 set transform-set myset match address 101 interface Ethernet0/03 ip address 209.165.200.227 55.255.255.0 ip nat outside crypto map vpn interface Ethernet0/2 ip address 10.1.1.3 255.255.255.0 ip nat inside ip nat inside source list 1 interface Ethernet0/3 overload ip nat inside source static 10.1.1.1 209.165.200.230 route-map nonat access-list 1 permit 10.1.1.0 255.255.255.0 access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 120 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 120 permit ip 10.1.1.0 0.0.0.255 any route-map nonat permit 10 match ip address 120 78 Copyright Printed in USA.
NAT in the Middle of an IPSec Tunnel In many cases, VPN clients are behind NAT/PAT devices IPSec over NAT (NAT -T) support was first introduced in 12.2.15T for routers and version 6.3 for PIX IPSec pass-thru feature is supported on certain NAT/PAT devices; ISAKMP cookie and ESP SPI are used to build translation table NAT -T is turned on by default on Cisco IOS Use isakmp nat-traversal <natkeepalive> to turn on NAT -T on PIX Turn on IPSec over UDP/TCP, or NAT -T feature in case of VPN 3000 Concentrator 79 Agenda Introduction Router IPSec VPNs PIX IPSec VPNs Cisco EasyVPN Clients NAT with IPSec Firewalling and IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers Interoperability Troubleshooting 80 Copyright Printed in USA.
Firewall in the Middle Internet Router Private Encrypted Public Private ESP (IP protocol type 50) or/and AH (IP/51) UDP port 500 (ISAKMP), and/or UDP port 4500 (NAT -T) 81 Firewalling and IPSec Firewall on the IPSec endpoint router: ESP or/and AH UDP port 500 (IKE) and 4500 (NAT -T) Decrypted packet IP addresses (incoming access group is applied twice) Firewall on the IPSec endpoint PIX: Sysopt connection permit-ipsec (no conduit or access-list is needed) Use of conduits or access-list (no sysopt connection permit-ipsec is needed gives you more security for the decrypted pkts) 82 Copyright Printed in USA.
Agenda Introduction Router IPSec VPNs PIX IPSec VPNs Cisco EZVPN Clients NAT with IPSec Firewalling and IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers Interoperability Troubleshooting 83 IPSec MTU Issues Overhead introduced by IPSec encapsulation (~60 bytes) Possible fragmentation after encryption leads to reassembly on the VPN peer router (process-switched, performance degradation) IPSec and Path MTU discovery (PMTU) IPSec copies Don t Fragment (DF) bit from original data packets IP header IPSec dynamically update Path MTU in the SADB if router receives PMTU ICMP message The MTU hint in the PMTU ICMP message is physical MTU- ipsec_overhead (calculated based on transform-set) 84 Copyright Printed in USA.
IPSec and PMTU 10.1.1.2 MTU 1500 172.16.172.10/28 172.16.172.20/28 MTU 1500 e1/1 e1/0 MTU 1500 MTU 1400 MTU 1500 10.1.2.2 Path 1500 Media 1500 IPSec Tunnel Path 1500 Media 1500 1500 DF=1 ICMP Type3 Code 4 (1454) 1454 DF=1 1500 DF copied 1454 DF=1 ICMP Type3 Code 4 (1354) ICMP (1400) IPSec SPI copied ICMP: dst (10.1.2.2) frag. needed and DF set unreachable sent to 10.1.1.2 ( debug ip icmp output) ICMP: dst (172.16.172.20) frag. needed and DF set unreachable rcv from 172.16.172.11 Adjust path MTU on corresponding IPSec SA path mtu 1400, media mtu 1500 current outbound spi: EB84DC85 1354 DF=1 1400 1400 1354 85 Common Problem PMTU ICMP packets lost or blocked Debug ip icmp on router to verify if ICMP packets are sent or received Use sniffer to verify if ICMP packets are lost Work arounds Reduce MTU or disable PMTU on end host Configure router to clear DF bit of data packets Adjust TCP MSS on router to fine tune TCP windows Look-ahead fragmentation 86 Copyright Printed in USA.
MTU Issues Work around: Policy Routing crypto map vpn 10 IPsec-isakmp set peer 172.16.172.10 set transform-set myset match address 101! interface Ethernet1/0 ip address 172.16.172.20 255.255.255.240 no ip redirects duplex half crypto map vpn! interface Ethernet1/1 ip address 10.1.2.1 255.255.255.0 ip policy route-map ClearDF no ip redirects duplex half route-map ClearDF permit 10! match ip address 101 set ip df 0 access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 Use policy routing to set DF bit of the interesting traffic to 0 87 MTU Issues Work around: DF Bit Override Feature DF bit override feature with IPSec allows router to set, copy or clear the DF bit from the IPSec encapsulated header Router(config)#crypto ipsec df-bit clear First introduced in 12.2(2)T Only works for IPSec tunnel mode With df-bit clear option, large packets will be fragmented after encryption 88 Copyright Printed in USA.
MTU Issues Work around: Look ahead Fragmentation Fragment large packets before IPSec encryption to avoid performance issues Works for IPSec tunnel mode only Depends on crypto ipsec df-bit config First introduced in 12.1(11)E; the feature was integrated in 12.2.(13)T and 12.2(14)S Crypto ipsec df-bit clear Crypto ipsec fragmentation before-encryption 89 MTU Issues Work around: Adjusting TCP MSS Adjust TCP MSS (maximum send segment) under ingress interface: ip tcp adjust-mss <number> Router will sniff on the incoming TCP SYN packets and tweak the TCP MSS field to configured number Remote host will use adjusted MSS value correspondingly Choose MSS to avoid fragmentation MSS <= interface MTU IPSec Overhead 40 (IP header and TCP header) 90 Copyright Printed in USA.
Agenda Quiz Time The Purpose Introduction of crypto ipsec df-bit clear Is: Router IPSec VPNs PIX IPSec VPNs 1. To adjust the TCP-MSS value in the syn Cisco EasyVPN Clients packets NAT with IPSec 2. To help the router in doing Path MTU Firewalling and IPSec Discovery MTU Issues 3. To drop the IPSec packets if don t GRE over IPSec fragment bit is set Loss of Connectivity of IPSec Peers 4. To remove the don t fragment bit Interoperability Troubleshooting 91 GRE over IPSec a. Original Packet b. GRE Encapsulation c. GRE over IPSec Transport Mode d. GRE over IPSec Tunnel Mode a GRE IPSec Internet IP Hdr 1 TCP hdr Data b IP hdr 2 GRE hdr IP Hdr 1 TCP hdr Data c IP hdr 2 ESP hdr GRE hdr IP Hdr 1 TCP hdr Data d IP hdr 3 ESP hdr IP hdr 2 GRE hdr IP Hdr 1 TCP hdr Data 92 Copyright Printed in USA.
GRE over IPSec (Common Configuration Issues) Apply crypto map on both the tunnel interfaces and the physical interfaces Specify GRE traffic as IPSec interesting traffic access-list 101 permit gre host 200.1.1.1 host 150.1.1.1 Static or dynamic routing is needed to send VPN traffic to the GRE tunnel before it gets encrypted 93 GRE over IPSec (Avoid Recursive Routing) To avoid GRE tunnel interface flapping due to recursive routing, keep transport and passenger routing information separate: Use different routing protocols or separate routing protocol identifiers Keep tunnel IP address and actual IP network addresses ranges distinct For tunnel interface IP address, don t use unnumbered to loopback interface when the loopback s IP address resides in the ISP address space 94 Copyright Printed in USA.
GRE over IPSec (MTU Issues) Overhead calculation of GRE over IPSec (assume ESP-DES and ESP-MD5-HMAC): ESP overhead (with authentication): 31 38 bytes GRE header: 24 bytes IP header: 20 byes GRE over IPSec with tunnel mode introduces ~75 bytes overhead, GRE over IPSec with transport mode introduces ~55 bytes overhead 95 GRE over IPSec (MTU Issues) After GRE tunnel encapsulation, the packets will be sent to physical interface with DF bit set to 0 The GRE packets will then be encrypted at physical interface; if IPSec overhead causes final IPSec packets to be bigger than the interface MTU, the router will fragment the packets The remote router will need to reassemble the fragmented IPSec packets (process switched) which causes performance degradation 96 Copyright Printed in USA.
GRE over IPSec (MTU Issues) To avoid fragementation and reassembly of IPSec packets: 1. Set ip mtu 1420 (GRE/IPsec tunnel mode), ip mtu 1440 (GRE/IPsec transport mode) under tunnel interface 2. Enable tunnel path-mtu-discovery (DF bit copied after GRE encapsulation) under tunnel interface 3. Turn on Look-Ahead Fragmentation feature Use show ip int switching to verify switching path 97 GRE over IPSec (MTU Issues) Workarounds in case PMTU ICMP packets are lost or blocked int tunnel 0 ip mtu 1500 Incoming big size packets with DF=1 will not be dropped by GRE tunnel due to larger MTU setting The IPSec packets after GRE encapsulation (DF=0) will be fragmented before they leave the router Performance affects due to fragmentation 98 Copyright Printed in USA.
Agenda Introduction Router IPSec VPNs PIX IPSec VPNs Cisco EasyVPN Clients NAT with IPSec Firewalling and IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers Interoperability Troubleshooting 99 Loss of Connectivity of IPSec Peers Internet IPSec SA SPI Peer Local_id Remote_id Transform ESP SPI=0xB1D1EA3F IPSec SA SPI Peer Local_id Remote_id Transform 00:01:33: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSec packet has invalid spi for destaddr=172.16.172.28, prot=50, spi=0xb1d1ea3f(-1311643073) 100 Copyright Printed in USA.
Loss of Connectivity of IPSec Peers Use ISAKMP keepalives to detect loss of connectivity of Cisco IOS IPSec peers crypto isakmp keepalive <# of sec. between keepalive> <number of sec. between retries if keepalive fails> ISAKMP keepalives might cause performance degradation for large deployments, choose keepalive parameters carefully In latest Cisco IOS and PIX versions, ISAKMP keepalives are replaced by DPD (Dead Peer Detection) for lower CPU overhead 101 Agenda Introduction Router IPSec VPNs PIX IPSec VPNs Cisco EasyVPN Clients NAT with IPSec Firewalling and IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers Interoperability Troubleshooting 102 Copyright Printed in USA.
Interoperability Tips Start with configuring the two ends side by side with exact matching policies Phase I Parameters IKE authentication method Hash algorithm DH group ISAKMP SA lifetime Encryption algorithm Matching pre-shared secret Phase II Parameters IPSec mode (tunnel or transport) Encryption algorithm Authentication algorithm PFS group IPSec SA Lifetime Interesting traffic definition Turn off vendor specific features: Mode config, Xauth, IKE keepalive 103 Troubleshooting Resource TAC Web Field Notices alerts to critical issues Security Advisories internet security issues and response procedures TAC Technical Tips tips for troubleshooting; sample configurations www.cisco.com/tac 104 Copyright Printed in USA.
Troubleshooting Resource TAC Web Task-based organization Overview Network design Implementation and configuration Verification and troubleshooting Operating and maintaining Documentation www.cisco.com/tac 105 Recommended Reading Troubleshooting Cisco IP Telephony ISBN: 1587050757 Available on-site at the Cisco Company Store 106 Copyright Printed in USA.
Please Complete Your Evaluation Form Session 107 Copyright Printed in USA.